When an SMB client tries to access a native SMB file (that is, with Windows security information), the server checks the user information against the file's security information to determine whether an operation is permissible:
- User Security. This information is contained in an access token, which is made up of the user security identifier (SID), primary group SID, and other SIDs. The server receives the token from the domain controller and caches it for use throughout the user's session.
- File Security. This information is contained in a file's security descriptor, which is made up of the owner SID, group SID, and access control list (ACL). The ACL can contain several access control entries (ACEs), which specify the conditions for access.
ACE entries can be modified or deleted using a set of CLI commands called the cacls commands. This set of commands includes cacls-add, cacls-del, cacls-fields, cacls-mask-in, cacls-mask-out, and cacls-set. For more information on these commands, refer to the Command Line Reference.